Multi-record, custom field Splunk alert examples
-
- UpdatedJan 30, 2025
- 1 minute read
- Yokohama
- ServiceNow Security Operations add-on for Splunk
When you are creating multiple record Splunk alerts with custom fields, you need to define search criteria for generating alert data. Examples of search criteria for security incidents and security events are shown.
Security incident search
For a security incident, this criteria builds a search to fill in columns in the security incident table.
Example
Security event search
For a security event, this is the same search, but it populates Event fields instead. If this event is turned into a security incident, and any fields that do not exist in the event are populated, they are transferred to the security incident. Otherwise, they remain in the additional information field of the event and alert.